Getting Data In

Anonymize only Child Nodes

jmaguire1992
Explorer

Hello,
I was wondering could anyone help me figure out the sed script required and regex to Anonymize child nodes from xml - The difficulty seems to be due to the fact each node takes it's own line within splunk rather than usual single line <testfield> 123 </testfield>. Here is an example of how it appears:

<userDetails> 
<name> 
<testfield> 
123
</testfield> 
</name>
</userDetails>

And the appearance I would want would be something like:

<userDetails> 
 <name> 
 <testfield> 
 xxxx
 </testfield>
 </name>
 </userDetails>

Any help would be great with this - thank you.

James

0 Karma
1 Solution

jmaguire1992
Explorer

I figured it out - Here is the answer for anyone who might need it.

 SEDCMD-testdata_anonymizer = s/(.*)<testfield>[\s\S]*?<\/testfield>.*/\1 <testfield>xxxx<\/testfield>/g

View solution in original post

0 Karma

jmaguire1992
Explorer

I figured it out - Here is the answer for anyone who might need it.

 SEDCMD-testdata_anonymizer = s/(.*)<testfield>[\s\S]*?<\/testfield>.*/\1 <testfield>xxxx<\/testfield>/g
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...

Splunk Developers: Construct Your Future at the .conf26 Builder Bar

Calling all Splunk architects, platform admins, and app developers: the site is open, and the blueprints are ...

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...